On 05/21/22 14:35, John Dallman wrote:
> In article<jes6g6Fckl0U1@mid.individual.net>, bill.gunshannon@gmail.com
> (Bill Gunshannon) wrote:
>
>> If I were still doing this and had the money I would go with IBM
>> any day. Unless it turns out they, too, are made in China. At
>> that point all bets are off.
>
> The last time I bought low-end POWER servers from IBM, they were made in
> China. So I think you can expect anything x86-based to come from there
> too.
>
> John

Fwics, a lot of kit is manufactured in China these days, but at least
with a vendor like IBM or even HP, I would trust them over some others,
as they will have processes in place to ensure security at hardware
level. All levels of manufacturing, from schematics, pcb layouts and
production samples.

The original report on the hardware spyware was in the Wall Street
Journal and involved added hardware hidden on the m/b under other
parts. If you think a microprocessor with firmware can be just a
5mm or less square these days, such things can be difficult to
find. Quite a fuss at the time, but don't remember what the final
outcome was. Of course, it might have been the work of NSA or other
security agencies here, but just shows again, how essential effective
hardware firewalling is, incoming and outgoing...

Chris

chris <chris-nospam@tridac.net> wrote:
[regarding supermicro]

>There was also the report in the Register and elsewhere about
>the possibility of management processors that reported back
>to China. Just the possibility of spyware in hardware would
>make me think twice about using such machines.

That report was a bit over the top when it came out and has since been
pretty well discredited.

However, even so, many government agencies are still barred from
buying Supermicro hardware. This is enough of a reason to avoid
it as a base if you're wanting to sell into that market.

Another significant problem from my standpoint is that Supermicro
hardware really isn't very stable. Every time I look the board I
used last has been discontinued and replaced with something new and
slightly different. They are even worse than HPE about this and HPE
is really annoying.

>With engineer hat on, always found Dell to be a bit lightweight,
>but IBM also make a 1 and 2U server platforms and most IBM kit
>is very well engineered. Always interested in build quality
>and what's under the hood here, as it's assumed that most major
>vendor's kit will run all windows server and Linux distros
>without serious issues...

I have never used the IBM x86 stuff... which models do you recommend?
--scott
--
"C'est un Nagra. C'est suisse, et tres, tres precis."

On 5/21/22 09:53, chris wrote:
> On 05/21/22 14:35, John Dallman wrote:
>> In article<jes6g6Fckl0U1@mid.individual.net>, bill.gunshannon@gmail.com
>> (Bill Gunshannon) wrote:
>>
>>> If I were still doing this and had the money I would go with IBM
>>> any day.  Unless it turns out they, too, are made in China.  At
>>> that point all bets are off.
>>
>> The last time I bought low-end POWER servers from IBM, they were made in
>> China. So I think you can expect anything x86-based to come from there
>> too.
>>
>> John
>
> Fwics, a lot of kit is manufactured in China these days, but at least
> with a vendor like IBM or even HP, I would trust them over some others,
> as they will have processes in place to ensure security at hardware
> level. All levels of manufacturing, from schematics, pcb layouts and
> production samples.

The only problem would be the possibility that they have been coerced
into doing it by the Chinese government. Not paranoid, just aware of
the current situation.

>
> The original report on the hardware spyware was in the Wall Street
> Journal and involved added hardware hidden on the m/b under other
> parts. If you think a microprocessor with firmware can be just a
> 5mm or less square these days, such things can be difficult to
> find. Quite a fuss at the time, but don't remember what the final
> outcome was. Of course, it might have been the work of NSA or other
> security agencies here, but just shows again, how essential effective
> hardware firewalling is, incoming and outgoing...
>

Same as the report on Lenovo 15 years ago. It definitely wasn't
NSA as they are the one's who reported it. While firewalling is
definitely a requirement we chose to just not allow the systems on
the network at all.

bill

On 05/21/22 15:55, Scott Dorsey wrote:
> chris<chris-nospam@tridac.net> wrote:
> [regarding supermicro]
>
>> There was also the report in the Register and elsewhere about
>> the possibility of management processors that reported back
>> to China. Just the possibility of spyware in hardware would
>> make me think twice about using such machines.
>
> That report was a bit over the top when it came out and has since been
> pretty well discredited.
>
> However, even so, many government agencies are still barred from
> buying Supermicro hardware. This is enough of a reason to avoid
> it as a base if you're wanting to sell into that market.
>
> Another significant problem from my standpoint is that Supermicro
> hardware really isn't very stable. Every time I look the board I
> used last has been discontinued and replaced with something new and
> slightly different. They are even worse than HPE about this and HPE
> is really annoying.
>
>> With engineer hat on, always found Dell to be a bit lightweight,
>> but IBM also make a 1 and 2U server platforms and most IBM kit
>> is very well engineered. Always interested in build quality
>> and what's under the hood here, as it's assumed that most major
>> vendor's kit will run all windows server and Linux distros
>> without serious issues...
>
> I have never used the IBM x86 stuff... which models do you recommend?
> --scott

Still looking into that, but looking for something equivalent to dl360
and dl380 Proliant. Basic spec, 2 x I5 processors min and
options as per the DL... series. Never buy new here, but X3550 M4 or M5
look far enough down the price curve to make them interesting for
evaluation purposes. Looking at other vendors, it's quite difficult
to match the functionality & common sense of Proliant. Offball things
in bios like the ability to disable on board video to prioritise a more
capable added card, was not possible on some Fujitsu kit tested
a while back. Fine for headless use only, but dual purpose some
machines here as desktop and server. Devil is in the detail, as usual
and only way to really find out is to have the hardware in front of
you. Some machines have very limited bios functionality, which limits
choices and potential usage.

Will probably buy an IBM X series later in the year for evaluation,
but unlikely to be state of the art current model.

Chris

On 05/21/22 16:08, Bill Gunshannon wrote:
> On 5/21/22 09:53, chris wrote:
>> On 05/21/22 14:35, John Dallman wrote:
>>> In article<jes6g6Fckl0U1@mid.individual.net>, bill.gunshannon@gmail.com
>>> (Bill Gunshannon) wrote:
>>>
>>>> If I were still doing this and had the money I would go with IBM
>>>> any day. Unless it turns out they, too, are made in China. At
>>>> that point all bets are off.
>>>
>>> The last time I bought low-end POWER servers from IBM, they were made in
>>> China. So I think you can expect anything x86-based to come from there
>>> too.
>>>
>>> John
>>
>> Fwics, a lot of kit is manufactured in China these days, but at least
>> with a vendor like IBM or even HP, I would trust them over some others,
>> as they will have processes in place to ensure security at hardware
>> level. All levels of manufacturing, from schematics, pcb layouts and
>> production samples.
>
> The only problem would be the possibility that they have been coerced
> into doing it by the Chinese government. Not paranoid, just aware of
> the current situation.
>
>>
>> The original report on the hardware spyware was in the Wall Street
>> Journal and involved added hardware hidden on the m/b under other
>> parts. If you think a microprocessor with firmware can be just a
>> 5mm or less square these days, such things can be difficult to
>> find. Quite a fuss at the time, but don't remember what the final
>> outcome was. Of course, it might have been the work of NSA or other
>> security agencies here, but just shows again, how essential effective
>> hardware firewalling is, incoming and outgoing...
>>
>
> Same as the report on Lenovo 15 years ago. It definitely wasn't
> NSA as they are the one's who reported it. While firewalling is
> definitely a requirement we chose to just not allow the systems on
> the network at all.
>
> bill
>
>

That's the ideal, baut can cause issues if if you are running a
web server or other external services. Get round that here by
using old Sparc hardware, on the basis that many intrusion exploits
depend on getting an executable binary loaded onto the machine. If
the binary won't run on the architecture, then the exploit fails.
Overkill perhaps, but small shop here and not a problem to experiment
with a variety of solutions. Plan to replace it with an Arm single
board computer, FreeBSD at some stage, but no time as yet...

Chris

On Saturday, May 21, 2022 at 8:08:14 AM UTC-7, Bill Gunshannon wrote:
> >
> > Fwics, a lot of kit is manufactured in China these days, but at least
> > with a vendor like IBM or even HP, I would trust them over some others,
> > as they will have processes in place to ensure security at hardware
> > level. All levels of manufacturing, from schematics, pcb layouts and
> > production samples.
> The only problem would be the possibility that they have been coerced
> into doing it by the Chinese government. Not paranoid, just aware of
> the current situation.
> >
> > The original report on the hardware spyware was in the Wall Street
> > Journal and involved added hardware hidden on the m/b under other
> > parts. If you think a microprocessor with firmware can be just a
> > 5mm or less square these days, such things can be difficult to
> > find. Quite a fuss at the time, but don't remember what the final
> > outcome was. Of course, it might have been the work of NSA or other
> > security agencies here, but just shows again, how essential effective
> > hardware firewalling is, incoming and outgoing...
> >
> Same as the report on Lenovo 15 years ago. It definitely wasn't
> NSA as they are the one's who reported it. While firewalling is
> definitely a requirement we chose to just not allow the systems on
> the network at all.

The Supermicro story seemed like someone's planted FUD to me, given how emphatic the denials of Apple, Google, and of course Supermicro were. Anything's plausible. I'm surprised that non-US companies are so willing to buy American hardware, especially Intel, given that it's easy to make the same claims that the NSA may have coerced them into installing American spyware. :)

I think I'd trust IBM to stand up for their own corporate honor as far as the security of their firmware, and it's probably one of the reasons why they did sell their x86 division to a Chinese company: there are major Chinese banks and institutions running on IBM mainframes, after all. They can put Lenovo servers in their mainframe racks (in place of the Lenovo ThinkPads that too easily got separated from the mainframes, making them worthless for resale), and presumably everyone is auditing each other's code enough to trust "but verify" that everything's sensible.

Intel has now put so much code in their "negative rings" of the Management Engine that it's an open question whether it actually provides any security to the customer or should be disabled completely: https://en.wikipedia.org/wiki/Intel_Management_Engine

One good thing about running in virtualization is that VSI can punt on the issue of auditing the security of the UEFI BIOS and all that x86 firmware that's one of the less pleasant aspects of the x86 platform. Did you know that Linux and Windows NT have to ignore the first 1MB of RAM because there's no way to find out who may be using it? https://www.phoronix.com/scan.php?page=news_item&px=Windows-Reserves-First-1MB-RAM

On Saturday, May 21, 2022 at 10:57:15 AM UTC-7, chris wrote:
> That's the ideal, baut can cause issues if if you are running a
> web server or other external services. Get round that here by
> using old Sparc hardware, on the basis that many intrusion exploits
> depend on getting an executable binary loaded onto the machine. If
> the binary won't run on the architecture, then the exploit fails.
> Overkill perhaps, but small shop here and not a problem to experiment
> with a variety of solutions. Plan to replace it with an Arm single
> board computer, FreeBSD at some stage, but no time as yet...

There's a good argument for Itanium for that purpose (perhaps the only good argument left for Itanium these days). The DCL vulnerability reported in early 2018 was patched for VAX, Alpha, and Itanium, but the Itanium patch was to protect any Alpha nodes on the same cluster: Itanium alone wasn't vulnerable, even though this was specifically a VMS attack and they tried to attack it. The register stack engine and unusual instruction encoding seem to thwart the common exploits.

I'd argue that ARM is much too popular to be considered "obscure" as far as providing any protection from common exploits. I'd suggest looking into recent POWER CPUs, although unfortunately you need a POWER8 or newer to run the ppc64le distros that are currently supported by the Linux vendors. Personally, I like the extra layer of confusion that running 64-bit *big-endian* Linux on a PowerMac Quad G5 provides, although admittedly it's not the best form factor for a datacenter.

On 05/21/22 22:44, Jake Hamby wrote:
> On Saturday, May 21, 2022 at 10:57:15 AM UTC-7, chris wrote:
>> That's the ideal, baut can cause issues if if you are running a
>> web server or other external services. Get round that here by
>> using old Sparc hardware, on the basis that many intrusion exploits
>> depend on getting an executable binary loaded onto the machine. If
>> the binary won't run on the architecture, then the exploit fails.
>> Overkill perhaps, but small shop here and not a problem to experiment
>> with a variety of solutions. Plan to replace it with an Arm single
>> board computer, FreeBSD at some stage, but no time as yet...
>
> There's a good argument for Itanium for that purpose (perhaps the only good argument left for Itanium these days). The DCL vulnerability reported in early 2018 was patched for VAX, Alpha, and Itanium, but the Itanium patch was to protect any Alpha nodes on the same cluster: Itanium alone wasn't vulnerable, even though this was specifically a VMS attack and they tried to attack it. The register stack engine and unusual instruction encoding seem to thwart the common exploits.
>
> I'd argue that ARM is much too popular to be considered "obscure" as far as providing any protection from common exploits. I'd suggest looking into recent POWER CPUs, although unfortunately you need a POWER8 or newer to run the ppc64le distros that are currently supported by the Linux vendors. Personally, I like the extra layer of confusion that running 64-bit *big-endian* Linux on a PowerMac Quad G5 provides, although admittedly it's not the best form factor for a datacenter.

Probably right about Itanium and Arm, for opposite reasons of
course. Limited experience with Power series, though was quite
impressed with a power series server some years ago. Also liked
aix 6 as a fully sorted os and the hardware construction was
superb. Good system management tools as well.

If you go Apple, there are quite a few Xserve G5 machines still around
at low cost on a good day. Long in the tooth, but dual G5 processors,
and 1u rackmount format. They are supported by quite a few open
source os's...

Chris

On 05/21/22 22:36, Jake Hamby wrote:
> On Saturday, May 21, 2022 at 8:08:14 AM UTC-7, Bill Gunshannon wrote:
>>>
>>> Fwics, a lot of kit is manufactured in China these days, but at least
>>> with a vendor like IBM or even HP, I would trust them over some others,
>>> as they will have processes in place to ensure security at hardware
>>> level. All levels of manufacturing, from schematics, pcb layouts and
>>> production samples.
>> The only problem would be the possibility that they have been coerced
>> into doing it by the Chinese government. Not paranoid, just aware of
>> the current situation.
>>>
>>> The original report on the hardware spyware was in the Wall Street
>>> Journal and involved added hardware hidden on the m/b under other
>>> parts. If you think a microprocessor with firmware can be just a
>>> 5mm or less square these days, such things can be difficult to
>>> find. Quite a fuss at the time, but don't remember what the final
>>> outcome was. Of course, it might have been the work of NSA or other
>>> security agencies here, but just shows again, how essential effective
>>> hardware firewalling is, incoming and outgoing...
>>>
>> Same as the report on Lenovo 15 years ago. It definitely wasn't
>> NSA as they are the one's who reported it. While firewalling is
>> definitely a requirement we chose to just not allow the systems on
>> the network at all.
>
> The Supermicro story seemed like someone's planted FUD to me, given how emphatic the denials of Apple, Google, and of course Supermicro were. Anything's plausible. I'm surprised that non-US companies are so willing to buy American hardware, especially Intel, given that it's easy to make the same claims that the NSA may have coerced them into installing American spyware. :)
>
> I think I'd trust IBM to stand up for their own corporate honor as far as the security of their firmware, and it's probably one of the reasons why they did sell their x86 division to a Chinese company: there are major Chinese banks and institutions running on IBM mainframes, after all. They can put Lenovo servers in their mainframe racks (in place of the Lenovo ThinkPads that too easily got separated from the mainframes, making them worthless for resale), and presumably everyone is auditing each other's code enough to trust "but verify" that everything's sensible.
>
> Intel has now put so much code in their "negative rings" of the Management Engine that it's an open question whether it actually provides any security to the customer or should be disabled completely: https://en.wikipedia.org/wiki/Intel_Management_Engine
>
> One good thing about running in virtualization is that VSI can punt on the issue of auditing the security of the UEFI BIOS and all that x86 firmware that's one of the less pleasant aspects of the x86 platform. Did you know that Linux and Windows NT have to ignore the first 1MB of RAM because there's no way to find out who may be using it? https://www.phoronix.com/scan.php?page=news_item&px=Windows-Reserves-First-1MB-RAM

Cover quite a bit of ground there, but in summary, every site needs to
have techs familiar with the use of network sniffing tools like
Wireshark, tcpdump etc and know how to interpret the results. With
ever greater system complexity, the more difficult it becomes to
prove fully deterministic operation, the foundation of any security
measures built on top...

Chris